Ryfujk

Why isn't everyone flabbergasted about Bran's "gift"?

Israeli soda type drink

What does こした mean?

How do I deal with an erroneously large refund?

What do you call an IPA symbol that lacks a name (e.g. ɲ)?

What was Apollo 13's "Little Jolt" after MECO?

All ASCII characters with a given bit count

Specify the range of GridLines

Processing ADC conversion result: DMA vs Processor Registers

Suing a Police Officer Instead of the Police Department

Did war bonds have better investment alternatives during WWII?

Is there a way to fake a method response using Mock or Stubs?

false 'Security alert' from Google - every login generates mails from 'no-reply@accounts.google.com'

Eigenvalues of the Laplacian of the directed De Bruijn graph

How would it unbalance gameplay to rule that Weapon Master allows for picking a fighting style?

RIP Packet Format

Co-worker works way more than he should

Test if all elements of a Foldable are the same

Are these square matrices always diagonalisable?

When does Bran Stark remember Jamie pushing him?

Why do people think Winterfell crypts is the safest place for women, children & old people?

Why would the Overseers waste their stock of slaves on the Game?

/bin/ls sorts differently than just ls

What is the ongoing value of the Kanban board to the developers as opposed to management

SQL Proxying DMZ webserver connection

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}

0

We've got a product coming in which is requesting us to open up a connection from the web server (WEB) in our DMZ to our production database server (PROD). The production database is literally only PHI, so my team is rather against this idea. Our primary concern is if WEB becomes compromised the attacker would then have direct access to the production DB residing on PROD. We've already got another server (TRUSTED), for outbound requests and VPN-based inbound only, in the DMZ with SQL access to PROD. The best operation idea we've come up with is to have WEB open its DB connection to TRUSTED via an IPSec tunnel, at which point TRUSTED would act as a proxy and forward the SQL requests to PROD and return traffic along the tunnel. The thought is with this topology WEB as a machine could become compromised but the application or its associated traffic would need to be hijacked in order to act maliciously, rather than allowing any traffic on the correct port direct access to PROD.

Are we over-complicating the scenario or is there a flaw in our logic? If neither, how would you go about doing so?

sql-server web-server proxy ipsec dmz

share

asked 5 mins ago

flippindflippind

1

New contributor

flippind is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

0

We've got a product coming in which is requesting us to open up a connection from the web server (WEB) in our DMZ to our production database server (PROD). The production database is literally only PHI, so my team is rather against this idea. Our primary concern is if WEB becomes compromised the attacker would then have direct access to the production DB residing on PROD. We've already got another server (TRUSTED), for outbound requests and VPN-based inbound only, in the DMZ with SQL access to PROD. The best operation idea we've come up with is to have WEB open its DB connection to TRUSTED via an IPSec tunnel, at which point TRUSTED would act as a proxy and forward the SQL requests to PROD and return traffic along the tunnel. The thought is with this topology WEB as a machine could become compromised but the application or its associated traffic would need to be hijacked in order to act maliciously, rather than allowing any traffic on the correct port direct access to PROD.

Are we over-complicating the scenario or is there a flaw in our logic? If neither, how would you go about doing so?

sql-server web-server proxy ipsec dmz

share

asked 5 mins ago

flippindflippind

1

New contributor

flippind is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

We've got a product coming in which is requesting us to open up a connection from the web server (WEB) in our DMZ to our production database server (PROD). The production database is literally only PHI, so my team is rather against this idea. Our primary concern is if WEB becomes compromised the attacker would then have direct access to the production DB residing on PROD. We've already got another server (TRUSTED), for outbound requests and VPN-based inbound only, in the DMZ with SQL access to PROD. The best operation idea we've come up with is to have WEB open its DB connection to TRUSTED via an IPSec tunnel, at which point TRUSTED would act as a proxy and forward the SQL requests to PROD and return traffic along the tunnel. The thought is with this topology WEB as a machine could become compromised but the application or its associated traffic would need to be hijacked in order to act maliciously, rather than allowing any traffic on the correct port direct access to PROD.

Are we over-complicating the scenario or is there a flaw in our logic? If neither, how would you go about doing so?

sql-server web-server proxy ipsec dmz

share

asked 5 mins ago

flippindflippind

1

New contributor

flippind is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share

asked 5 mins ago

flippindflippind

1

New contributor

flippind is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share

asked 5 mins ago

flippindflippind

1

New contributor

flippind is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 5 mins ago

flippindflippind

1

New contributor

flippind is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 5 mins ago

flippindflippind

1